// vsgdi_nt-c.txt 

// Copyright (c) 2003. Zone Labs, Inc. All Rights Reserved. 

I** ************************************************ ******************** j 

/** ZoneLabs TrueVector Engine **/ 

/** Copyright(c) Zone Labs, Inc. 2003 *7 

'********************************************************************** 



r 
r 

vsgdi_nt.c (vsdatant.sys) 
Driver component for WinNT, hooking/monitoring of GDI calls 
History: 

GF 01/15/2003 Created 

7 

#include "ntddk.h" 
#include "stdarg.h" 
#include "stdio.h" 
#include "vsdatant.h" 
#include "vserror.h" 
#include "vsdriver.h" 



7 



#defi 
#defi 
#defi 
#defi 
#defi 
#defi 
#defi 
#defi 
#defi 
#defi 
#defi 
#defi 
#defi 
#defi 
#defi 
#defi 
#defi 
#defi 
#defi 
#defi 
#defi 
#defi 
#defi 
#defi 
#defi 
#defi 
#defi 
#defi 
#defi 
#defi 
#defi 
#defi 



ne WM KEYFIRST 
ne WM KEYDOWN 
ne WM_KEYUP 
ne WM CHAR 
ne WM_DEADCHAR 
ne WM SYSKEYDOWN 
ne WM_SYSKEYUP 
ne WM_SYSCHAR 
ne WM SYSDEADCHAR 
ne WM_KEYLAST 
ne WM_COMMAND 
ne WM_SYSCOMMAND 
ne WM_TIMER 
ne WM_MOUSEFIRST 
ne WM_MOUSEMOVE 
ne WM LBUTTON DOWN 
ne WM_LBUTTONUP 
ne WM_LBUTTON DBLCLK 
ne WM RBUTTONDOWN 
ne WM_RBUTTONUP 
ne WM_RBUTTON DBLCLK 
ne WM_MBUTTONDOWN 
ne WM_MBUTTONUP 
ne WM MBUTTONDBLCLK 
ne WM_MOUSEWHEEL 
ne WM_XBUTTONDOWN 
ne WM_XBUTTONUP 
ne WM_XBUTTON DBLCLK 
ne WM_MOUSELAST 
ne BM_SETCHECK 0x00F1 
ne BM_GETSTATE 0x00 F2 
ne B M S ETSTAT E 0x00F3 



0x0100 
0x0100 
0x0101 
0x0102 
0x0103 

0x0104 
0x0105 
0x0106 

0x0107 
0x0108 
0x0111 
0x0112 
0x0113 

0x0200 
0x0200 
0x0201 
0x0202 
0x0203 
0x0204 
0x0205 
0x0206 
0x0207 
0x0208 
0x0209 
0x020A 
0x020B 
0x020C 

0x020D 
0x020 D 



#define BM_SETSTYLE OxOOF4 
#define BM_CLICK 0x00F5 
#define BM_GETIMAGE 0x00F6 
#define BMSETIMAGE 0x00F7 
// GDI call prototypes 

#define USE R_M ESS AG EC ALL_S E R V I C E_NT 0x00000000 
#define USER_MESSAGE_CALL_SERVICE_2K 0x000011 be 
#define USER_MESSAGE_CALL_SERVICE_XP 0x00001 1cc 
typedef NTSTATUS 
(NTAPI 

*NT_USER_MESSAGE_CALL) ( 

HWND hWnd, 

UINT Msg, 

WPARAM wParam, 

LPARAM IParam, 

LRESULT I Result, 

DWORD dwUnknownl, 

DWORD dwUnknown2); 
#define USER_POST_MESSAGE_SERVICE_NT 0x00000000 
#define USER_POST_MESSAGE_SERVICE_2K 0x00001 1cb 
#define USER_POST_MESSAGE_SERVICE_XP 0x00001 1db 
typedef NTSTATUS 
(NTAPI 

*NT_USER_POST_MESSAGE) ( 

HWND hWnd, 

UINT Msg, 

WPARAM wParam, 

LPARAM IParam); 
#define USER_SEND_INPUT_SERVICE_NT 0x00000000 
#define USER_SEND_INPUT_SERVICE_2K 0x00001 1e1 
#define USER_SEND_INPUT_SERVICE_XP 0x00001 1f6 
typedef UINT 
(NTAPI 

*NT_USER_SEND_INPUT) ( 
UINT nlnputs, // count of input events 

PVOID plnput, // struct _LPINPUT plnputs - array of input events 
intcbSize // size of structure 

); 

#define USER_QUERY_WINDOW_SERVICE_NT 0x00000000 
#define USER_QUERY_WINDOW_SERVICE_2K 0x00001 1d2 
#define USER_QUERY_WINDOW_SERVICE_XP 0x00001 1e3 
#define QUERY_WINDOW_PROCESS 0x00000000 
#define QUERY_WINDOW_THREAD 0x00000001 
typedef DWORD 
(NTAPI 

*NT_USER_QUERY_WINDOW) ( 
HWND hWnd, 

DWORD dwQuery); // See QUERY_WINDOW_??? 
#define USER_GET_FOREGROUND_WINDOW_SERVICE_NT 0x00000000 
#define USER_GET_FOREGROUND_WINDOW_SERVICE_2K 0x00001189 



#define USER_GET_FOREGROUND_WINDOW_SERVICE_XP 0x00001194 

typedef HWND 

(NTAPI 

*NT_US E R_G ET FO REG ROU N D WI N DOW) (); 
NT_USER_MESSAGE_CALL UserMessageCallHandler = NULL; 
NT_USER_POST_MESSAGE UserPostMessageHandler = NULL; 
NT_USER_SEND_INPUT UserSendlnputHandler = NULL; 
HOOK_FUNCTION hUserMessageCall = {0}; 
HOOK_FUNCTION hUserPostMessage = {0}; 
HOOK_FUNCTION hUserSendlnput = {0}; 
// Utility stuff we need to call 

NT_USER_QUERY_WINDOW NtUserQueryWindow = NULL; 

NT_USER_GET_FOREGROUND_WINDOW NtUserGetForegroundWindow = NULL; 

#define MAX_PROCESS_FILTER 4 

DWORD dwProcFilter[MAX_PROCESS_FILTER] = {0}; 

HWND hWndLast = NULL; 

DWORD dwProcldLast = 0; 

BOOL lsProcessFilter(DWORD dwProcessID) 

{ 

DWORD n; 

for (n = 0; n< MAX_PROCESS_FILTER; n++) 
{ 

if (dwProcFilter[n] == dwProcessID) 
return TRUE; 

} 

return FALSE; 

} 

NTSTATUS AddProcessFilter(DWORD dwProcessID) 
{ 

DWORD n; 

for (n = 0; n < MAX_PROCESS_FILTER; n++) 
{ 

if (dwProcFilter[n] == dwProcessID) 
return STATUS_SUCCESS; 
if (dwProcFilter[n] == 0) 

{ 

dwProcFilter[n] = dwProcessID; 
return STATUS_SUCCESS; 

} 

} 

return STATUSJJNSUCCESSFUL; 

} 

NTSTATUS DelProcessFilter(DWORD dwProcessID) 
{ 

DWORD n; 

for (n = 0; n < MAX_PROCESS_FILTER; n++) 
{ 

if (dwProcFilter[n] == dwProcessID) 
{ 

dwProcFilter[n] =0; 



return STATUS_SUCCESS; 

} 

} 

return STATUSJJNSUCCESSFUL; 

} 

BOOL WndContinue( 
HWND hWnd) 

{ 

if (NtUserQueryWindow) 
{ 

DWORD dwProcessID; 
if (hWnd == hWndLast) 
{ 

dwProcessID = dwProcldLast; 

} 

else 
{ 

dwProcessID = NtUserQueryWindow(hWnd, QUERY_WINDOW_PROCESS); 
dwProcldLast = dwProcessID; 
hWndLast = hWnd; 

} 

if (IsProcessFilter(dwProcesslD) && 
(dwProcessID != GetCurrentProcesslD())) 

{ 

return FALSE; 

} 

} 

return TRUE; 

} 

BOOL MsgContinue( 
HWND hWnd, 
UINT Msg, 
WPARAM wParam, 
LPARAM IParam) 

{ 

BOOL bProtect = FALSE; 
BOOL bContinue = TRUE; 
switch (Msg) 
{ 

// If we're not interested in a message at all, let's find that out first 
//case WM_QUIT: 
case WM TIMER: 

if (IParam == 0) 

break; 
// fall through 
case WM_KEYDOWN: 
case WM SYSKEYDOWN : 
case WM_KEYUP: 
case WM_SYSKEYUP: 
case WM_LBUTTONDOWN: 



case WM_LBUTTONUP: 
case WM_RBUTTON DOWN : 
case WM_RBUTTONUP: 
case WMCOMMAND: 
case B M_S ETST AT E : 
case BM_SETCHECK: 
case BM_CLICK: 
case WM_MBUTTONDOWN: 
case WM_MBUTTONUP: 
case WM_MBUTTONDBLCLK: 
case WM_RBUTTONDBLCLK: 
case WM_LBUTTONDBLCLK: 
return WndContinue(hWnd); 

} 

return TRUE; 

} 

NTSTATUS 
NTAPI 

HookUserMessageCall( 
HWND hWnd, 
UINT Msg, 
WPARAM wParam, 
LPARAM IParam, 
LRESULT IResult, 
DWORD dwUnknownl, 
DWORD dwllnknown2) 

{ 

NTSTATUS Status = STATUS_SUCCESS; 

if (MsgContinue(hWnd, Msg, wParam, IParam) && UserMessageCallHandler) 
{ 

Status = UserMessageCallHandler(hWnd, Msg, wParam, IParam, IResult, 
dwUnknownl, dwUnknown2); 

} 

#ifdef _DEBUG 
else 
{ 

DbgPrint( M [GDI NtUserMessageCall] BLOCKED: " 
"hWnd %x, Msg %x, wParam %x, IParam %x, " 
"Process %x\n", 
hWnd, Msg, wParam, IParam, 
GetCurrentProcesslD()); 

} 

#endif //_DEBUG 
return Status; 

} 

NTSTATUS 
NTAPI 

HookUserPostMessage( 
HWND hWnd, 
UINT Msg, 



WPARAM wParam, 
LPARAM IParam) 

{ 

NTSTATUS Status = STATUS_SUCCESS; 

if (MsgContinue(hWnd, Msg, wParam, IParam) && UserPostMessageHandler) 
{ 

Status = UserPostMessageHandler(hWnd, Msg, wParam, IParam); 

} 

#ifdef _DEBUG 
else 
{ 

DbgPrint( M [GDI NtUserPostMessage] BLOCKED: " 
"hWnd %x, Msg %x, wParam %x, IParam %x, " 
"Process %x\n", 
hWnd, Msg, wParam, IParam, 
GetCurrentProcesslD()); 

} 

#endif //_DEBUG 
return Status; 

} 

UINT 
NTAPI 

HookUserSend I nput( 
UINT nlnputs, // count of input events 

PVOID plnputs, // struct _LPINPUT plnputs - array of input events 
int cbSize) // size of structure 

{ 

HWND hWnd = 0; 

if (NtUserGetForegroundWindow && 

WndContinue(hWnd = NtUserGetForegroundWindowQ) && 
UserSendlnputHandler) 

{ 

return UserSendlnputHandler(nlnputs, plnputs, cbSize); 

} 

#ifdef _DEBUG 
else 
{ 

DbgPrint( M [GDI NtUserSetlnput] BLOCKED: " 
"hWnd %x, Process %x\n M , 
hWnd, GetCurrentProcesslD()); 

} 

#endif //_DEBUG 
return 0; 

} 

NTSTATUS StartTrackGDI() 
{ 

NTSTATUS Status = STATUS_SUCCESS; 
Status = Hooklnt2EService( 

&hUserMessageCall, 

HookUserMessageCall, 



Findlnt2EServiceBylD(USER_MESSAGE_CALL_SERVICE)); 
if (Status == STATUS_SUCCESS) 

UserMessageCallHandler = hUserMessageCall.pOldFunction; 
Status = Hooklnt2EService( 
&hUserPostMessage, 
HookUserPostMessage, 

Findlnt2EServiceBylD(USER_POST_MESSAGE_SERVICE)); 
if (Status == STATUS_SUCCESS) 

UserPostMessageHandler = hUserPostMessage.pOldFunction; 
Status = Hooklnt2EService( 

&hUserSendlnput, 

HookUserSendlnput, 

Findlnt2EServiceBylD(USER_SEND_INPUT_SERVICE)); 
if (Status == STATUS_SUCCESS) 
UserSendlnputHandler = hUserSendlnput.pOldFunction; 
Status = Findlnt2EServiceCall( 

Findlnt2EServiceBylD(USER_QUERY_WINDOW_SERVICE), 

(PVOID*)(&NtUserQueryWindow)); 
Status = Findlnt2EServiceCall( 

Findlnt2EServiceBylD(USER_GET_FOREGROUND_WINDOW_SERVICE), 

(PVOID*)(&NtUserGetForegroundWindow)); 
return Status; 

} 

NTSTATUS StopTrackGDI() 
{ 

NTSTATUS Status = STATUS_SUCCESS; 
Status = Unhooklnt2EService(&hUserMessageCall); 
Status = Unhooklnt2EService(&hUserPostMessage); 
Status = Unhooklnt2EService(&hUserSendlnput); 
return Status; 

} 

// vslpc_nt-c.txt 

// Copyright (c) 2003. Zone Labs, Inc. All Rights Reserved. 

I** *************************************** ***************************** ^ 

/** ZoneLabs TrueVector Engine *7 

/** Copyright(c) Zone Labs, Inc. 2003 **/ 

I***** ********************************************************** ******* J 

I* 

vslpc_nt.c (vsdatant.sys) 
Driver component for WinNT, hooking/monitoring of LPC calls 
History: 

GF 01/15/2003 Created 

7 

#include "ntddk.h" 
#include "stdarg.h" 
#include "stdio.h" 
#include "vsdatant.h" 
#include "vserror.h" 
#include "vsdriver.h" 
#ifdef _DEBUG 



#define_DEBUG_LPC 
#endif 

// Various data structures 

typedef struct _LPC_SECTION_OWNER_MEMORY { 

ULONG Length; 

HANDLE SectionHandle; 

ULONG OffsetlnSection; 

ULONG ViewSize; 

PVOID ViewBase; 

PVOI D OtherSideViewBase; 
} LPC_SECTION_OWNER_MEMORY, *PLPC_SECTION_OWNER_M EMORY; 
typedef struct _LPC_SECTION_M EMORY { 

ULONG Length; 

ULONG ViewSize; 

PVOID ViewBase; 
} LPC_SECTION_MEMORY, *PLPC_SECTION_MEMORY; 
typedef struct _LPC_MESSAGE { 

USHORT DataLength; 

USHORT Length; 

USHORT MessageType; 

USHORT DatalnfoOffset; 

CLIENTJD Clientld; 

ULONG Messageld; 

ULONG Callbackld; 
} LPC_MESSAGE, *PLPC_MESSAGE; 
// LPC call prototypes 
typedef NTSTATUS 
(NTAPI 

*NT_CONNECT_PORT) ( 

OUT PHANDLE ClientPortHandle, 

IN PUNICODE_STRING ServerPortName, 

IN PSECURITY_QUALITY_OF_SERVICE SecurityQos, 

IN OUT PLPC_SECTION_OWNER_MEMORY ClientSharedMemory, 

OUT PLPC_SECTION_MEMORY ServerSharedMemory, 

OUT PULONG MaximumMessageLength, 

IN OUT PVOID Connectionlnfo, 

IN OUT PULONG ConnectionlnfoLength); 
NTSYSAPI 
NTSTATUS 
NTAPI 

NtConnectPort( 

OUT PHANDLE ClientPortHandle, 

IN PUNICODE_STRING ServerPortName, 

IN PSECURITY_QUALITY_OF_SERVICE SecurityQos, 

IN OUT PLPC_SECTION_OWNER_MEMORY ClientSharedMemory, 

OUT PLPC_SECTION_MEMORY ServerSharedMemory, 

OUT PULONG MaximumMessageLength, 

IN OUT PVOID Connectionlnfo, 

IN OUT PULONG ConnectionlnfoLength); 
#ifdef _DEBUG_LPC 



// GFNOTE: This API doesn't exists in NT. Most parameters are guesses at this point, 
// I didn't find any prototypes online. So this breaks the driver for NT in debug 
// mode ... 

#define SECURE_CONNECT_PORT_SERVICE_NT 0x00000000 
#define SECURE_CONNECT_PORT_SERVICE_2K 0x000000b8 
#define SECURE_CONNECT_PORT_SERVICE_XP 0x000000d2 
typedef NTSTATUS 
(NTAPI 

*NT_SECURE_CONNECT_PORT) ( 

OUT PHANDLE ClientPortHandle, 

IN PUNICODE_STRING ServerPortName, 

IN PSECURITY_QUALITY_OF_SERVICE SecurityQos, 

IN OUT PLPC_SECTION_OWNER_MEMORY ClientSharedMemory, 

PVOID pUnknown, 

OUT PLPC_SECTION_MEMORY ServerShared Memory, 

OUT PULONG MaximumMessageLength, 

IN OUT PVOID Connectionlnfo, 

IN OUT PULONG ConnectionlnfoLength); 
/* Not exported by ntoskrnl 
NTSYSAPI 
NTSTATUS 
NTAPI 

NtSecureConnectPort( 

OUT PHANDLE ClientPortHandle, 

IN PUNICODE_STRING ServerPortName, 

IN PSECURITY_QUALITY_OF_SERVICE SecurityQos, 

IN OUT PLPC_SECTION_OWNER_MEMORY ClientSharedMemory, 

PVOID pUnknown, 

OUT PLPC_SECTION_MEMORY ServerSharedMemory, 

OUT PULONG MaximumMessageLength, 

IN OUT PVOID Connectionlnfo, 

IN OUT PULONG ConnectionlnfoLength); 

7 

#define CREATE PORT SERVICE NT 0x00000000 
#define CREATE_PORT_SERVICE_2K 0x00000028 
#define CREATE_PORT_SERVICE_XP 0x0000002e 
typedef NTSTATUS 
(NTAPI 

*NT_CREATE_PORT) ( 

OUT PHANDLE PortHandle, 

IN POBJECT_ATTRIBUTES Object Attributes, 

IN ULONG MaxConnectlnfoLength, 

IN ULONG MaxDataLength, 

IN OUT PULONG Reserved OPTIONAL ); 

/* Not exported by ntoskrnl 
NTSYSAPI 
NTSTATUS 
NTAPI 

NtCreatePort( 
OUT PHANDLE PortHandle, 



IN POBJECT_ATTRIBUTES ObjectAttributes, 
IN ULONG MaxConnectlnfoLength, 
IN ULONG MaxDataLength, 
IN OUT PULONG Reserved OPTIONAL ); 
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#endif //_DEGUG_LPC 

// Hook handlers and handles 

NT_CONNECT_PORT ConnectPortHandler = NULL; 
HOOK_FUNCTION hConnectPort = {0}; 
#ifdef_DEBUG_LPC 

NT_SECURE_CONNECT_PORT SecureConnectPortHandler = NULL; 
HOOK_FUNCTION hSecu reconnect Port = {0}; 
NT_CREATE_PORT Create Port Handler = NULL; 
HOOK_FUNCTION hCreatePort = {0}; 
#endif //_DEBUG_LPC 

NTSTATUS stdcall On ProcessLpcDns Access ( DWORD dwProcessID) 

{ 

// We are generating a "pseudo" WSock message here, not a process message 
PVSMSG_STREAM pMsg; 
PHOOKREQUEST pHook = pWSockHook; 
NTSTATUS Status = STATUS_SUCCESS; 
if (dwProcessID == dwMonitorProcessID) 
return STATUS_SUCCESS; 
if (pHook) 
{ 

pMsg = NewMessage( 
pHook, 

sizeof(VSMSG_STREAM), 

GetCurrentProcesslD(), 

GetCurrentThreadlD(), 

0, 0,0); 
if (pMsg) 
{ 

pMsg->dwMsgFlags |= MFM NEEDREPLY; 
pMsg->dwMsgLevel = MSG_LEVEL_INFO_LOW; 
Status = PutMessage(pHook, &pMsg, 

MCWSOCK_LPC_DNS_ACCESS_BEFORE, 

NULL, 0, 0); 
FreeMessage(pHook, (PBASEVSMSG)pMsg); 
if (Status) 

Status = STATUS_ACCESS_DENIED; 

} 

} 

return Status; 

} 

NTSTATUS 
NTAPI 

HookConnectPort( 

OUT PHANDLE ClientPortHandle, 
IN PUNICODE_STRING ServerPortName, 



IN PSECURITY_QUALITY_OF_SERVICE SecurityQos, 

IN OUT PLPC_SECTION_OWNER_MEMORY ClientSharedMemory, 

OUT PLPC_SECTION_MEMORY ServerShared Memory, 

OUT PULONG Maximum MessageLength, 

IN OUT PVOID Connectionlnfo, 

IN OUT PULONG ConnectionlnfoLength) 

{ 

NTSTATUS Status = STATUS_SUCCESS; 
CHAR cPortName[256] = ""; 
DWORD dwLen = 0; 

DWORD dwProcessID = GetCurrentProcesslD(); 
// GFNOTE: Should we run the whole thing in native UNICODE strings? 
// Do we need an exception handler here in case of bad parameters? 
if (ServerPortName) 

dwLen = UnicodeStringToChar(*ServerPortName, cPortName, sizeof(cPortName)); 
// DNS request to services.exe 

if (lstrcmpi(cPortName, "WRPC ControlWDNSResolver") == 0) 
{ 

Status = OnProcessLpcDnsAccess(dwProcesslD); 

} 

// add more checks here 

if ((Status == STATUS_SUCCESS)) 

{ 

if (ConnectPortHandler) 
{ 

Status = ConnectPortHandler( 
ClientPortHandle, 
ServerPortName, 
SecurityQos, 
ClientSharedMemory, 
ServerSharedMemory, 
MaximumMessageLength, 
Connectionlnfo, 
ConnectionlnfoLength); 

} 

else 
{ 

Status = NtConnectPort( 
ClientPortHandle, 
ServerPortName, 
SecurityQos, 
ClientSharedMemory, 
ServerSharedMemory, 
MaximumMessageLength, 
Connectionlnfo, 
ConnectionlnfoLength); 

} 

} 

#ifdef _DEBUG 

if (Status == STATUS_SUCCESS) 



DbgPrint( M [LPC NtConnectPort] H "%s"" (%x) OK - Port %x\n", 

cPortName, dwProcessID, ClientPortHandle ? *ClientPortHandle : 0); 

else 

DbgPrint( M [LPC NtConnectPort] ""%s"" (%x) FAIL - Status %x\n", 
cPortName, dwProcessID, Status); 
#endif //_DEBUG 
return Status; 

} 

#ifdef _DEBUG_LPC 

NTSTATUS 

NTAPI 

HookSecureConnectPort( 

OUT PHANDLE ClientPortHandle, 

IN PUNICODE_STRING ServerPortName, 

IN PSECURITY_QUALITY_OF_SERVICE SecurityQos, 

IN OUT PLPC_SECTION_OWNER_MEMORY ClientSharedMemory, 

PVOID pUnknown, 

OUT PLPC_SECTION_MEMORY ServerShared Memory, 

OUT PULONG MaximumMessageLength, 

IN OUT PVOID Connectionlnfo, 

IN OUT PULONG ConnectionlnfoLength) 

{ 

NTSTATUS Status = STATUS_SUCCESS; 
CHAR cPortName[256] = ""; 
DWORD dwLen = 0; 

DWORD dwProcessID = GetCurrentProcesslD(); 
// GFNOTE: Should we run the whole thing in native UNICODE strings? 
// Do we need an exception handler here in case of bad parameters? 
if (ServerPortName) 

dwLen = UnicodeStringToCharfServerPortName, cPortName, sizeof (cPortName)); 
// DNS request to services.exe 

if (lstrcmpi(cPortName, "WRPC ControlWDNSResolver") == 0) 
{ 

Status = OnProcessLpcDnsAccess(dwProcesslD); 

} 

// add more checks here 

if ((Status == STATUS_SUCCESS)) 

{ 

if (ConnectPortHandler) 
{ 

Status = SecureConnectPortHandler( 
ClientPortHandle, 
ServerPortName, 
SecurityQos, 
ClientSharedMemory, 
pUnknown, 

ServerSharedMemory, 
MaximumMessageLength, 
Connectionlnfo, 
ConnectionlnfoLength); 



} 

else 
{ 

/* Status = NtSecureConnectPort( 
ClientPortHandle, 
ServerPortName, 
SecurityQos, 
ClientSharedMemory, 
pUnknown, 

ServerSharedMemory, 
MaximumMessageLength, 
Connectionlnfo, 
ConnectionlnfoLength);*/ 
Status = STATUS_ACCESS_DENIED; 

} 

} 

#ifdef _DEBUG 

if (Status == STATUS_SUCCESS) 

DbgPrint("[LPC NtSecureConnectPort] ""%s ,m (%x) OK - Port %x\n", 
cPortName, dwProcessID, ClientPortHandle ? "ClientPortHandle : 0); 

else 

DbgPrint( M [LPC NtSecureConnectPort] ""%s ,m (%x) FAIL - Status %x\n", 
cPortName, dwProcessID, Status); 
#endif //_DEBUG 
return Status; 

} 

NTSTATUS 
NTAPI 

HookCreatePort( 

OUT PHANDLE PortHandle, 

IN POBJECT_ATTRIBUTES Object Attributes, 

IN ULONG MaxConnectlnfoLength, 

IN ULONG MaxDataLength, 

IN OUT PULONG Reserved OPTIONAL ) 

{ 

NTSTATUS Status = STATUS_SUCCESS; 
CHAR cPortName[256] = ""; 
DWORD dwLen = 0; 

DWORD dwProcessID = GetCurrentProcesslD(); 

// GFNOTE: Should we run the whole thing in native UNICODE strings? 

// Do we need an exception handler here in case of bad parameters? 

if (ObjectAttributes && ObjectAttributes->ObjectName) 

dwLen = UnicodeStringToChar(*(ObjectAttributes->ObjectName), 

cPortName, sizeof(cPortName)); 
// add more checks here 
if ((Status == STATUS_SUCCESS)) 
{ 

if (CreatePortHandler) 
{ 

Status = CreatePortHandler( 



PortHandle, 

ObjectAttributes, 

MaxConnectlnfoLength, 

MaxDataLength, 

Reserved); 

} 

else 
{ 

/*Status = NtCreatePort( 

PortHandle, 

ObjectAttributes, 

MaxConnectlnfoLength, 

MaxDataLength, 

Reserved); 7 
Status = STATUS_ACCESS_DENIED; 

} 

} 

#ifdef _DEBUG 

if (Status == STATUS_SUCCESS) 

DbgPrint( M [LPC NtCreatePort] H "%s"" (%x) OK - Port %x\n M , 
cPortName, dwProcessID, PortHandle ? *PortHandle : 0); 

else 

DbgPrint( M [LPC NtCreatePort] MM %s MM (%x) FAIL - Status %x\n M , 
cPortName, dwProcessID, Status); 
#endif //_DEBUG 
return Status; 

} 

#endif //_DEGUG_LPC 
NTSTATUS StartTrackLPC() 
{ 

NTSTATUS Status; 
Status = Hooklnt2EService( 

&hConnectPort, 

HookConnectPort, 

Findlnt2EService(NtConnectPort, 0)); 
if (Status == STATUS_SUCCESS) 
ConnectPortHandler = hConnectPort.pOldFunction; 
else 

Status = STATUSJJNSUCCESSFUL; 
#ifdef _DEBUG_LPC 
Status = Hooklnt2EService( 

&hSecureConnectPort, 

HookSecureConnectPort, 

Findlnt2EServiceBylD(SECURE_CONNECT_PORT_SERVICE)); 
if (Status == STATUS_SUCCESS) 

SecureConnectPortHandler = hSecureConnectPort.pOldFunction; 
else 

Status = STATUSJJNSUCCESSFUL; 
Status = Hooklnt2EService( 
&hCreatePort, 



HookCreatePort, 

Findlnt2EServiceBylD(CREATE_PORT_SERVICE)); 
if (Status == STATUS_SUCCESS) 
CreatePortHandler = hCreatePort.pOldFunction; 
else 

Status = STATUSJJNSUCCESSFUL; 
#endif //_DEGUG_LPC 
return Status; 

} 

NTSTATUS StopTrackLPC() 
{ 

NTSTATUS Status; 

Status = Unhooklnt2EService(&hConnectPort); 
#ifdef _DEBUG_LPC 

Status = Unhooklnt2EService(&hSecureConnectPort); 
Status = Unhooklnt2EService(&hCreatePort); 
#endif //_DEGUG_LPC 
return Status; 

} 



